Vulnerability Found in Apache Struts

Companies using Apache Struts 2.0 should be aware of a possible security breach risk that could give rise to breach notification duties. On August 22, 2018, the Apache Software Foundation posted updates regarding the correction of a vulnerability recently found in its web application platform called Apache Struts.

Apache Struts is an open source web application framework that uses model-view-controller architecture. A security bulletin was placed on https:\\cwiki.apache.org by Man Yue Mo from the Semmle Security Research team, which noted a flaw in the Struts 2 application that would allow a hacker to perform a remote code executive “attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace[.]”[1] There is a similar possible attack “when using [an] url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”[2] This web application and vulnerability may affect any entity using Apache Struts, from small businesses to Fortune 100 companies.

The description of the vulnerability has been posted online, and this “blueprint” is suspected to provide an easy “how-to” guide for attackers. Attackers may exploit websites running the Struts 2.0 program by sending requests to hosted sites, to which the web servers will respond by running code commands of the attacker’s choosing. This would allow cyber attackers to undertake malicious acts such as copying and/or deleting consumer data or initiating other malware. Indeed, Equifax was forced to disclose a similar vulnerability in its Apache Struts software in 2017 after 143 million people had their sensitive information compromised in a July 29, 2017 security breach.

If you suspect that your company uses Apache Struts 2.0 and security has been breached in Louisiana, please review and consider your potential obligations under the recent changes to Louisiana’s Database Security Breach Notification Law and contact your data security attorney.

About the Firm

With more than 150 attorneys in Baton Rouge, New Orleans, Shreveport, Lake Charles, and now Houston, Kean Miller is one of the largest full-service law firms based in Louisiana. We serve the legal needs of the people, businesses, and industries that drive the Louisiana. We have particular dedication to serving Fortune 500 companies with significant operations in the South, providing them with legal resources focused on growth. From the courtroom to the boardroom, our people provide creative solutions, unique strategies, and unparalleled value that allows our clients to perform at the highest level.
Learn more.